The Green Sheet Online Edition

February 28, 2011 • Issue 11:02:02

Insider's report on payments
Bold steps needed on fraud front

By Patti MurphyThe Takoma Group

In the payments space, everyone has an interest in card data security - merchants, banks, ISOs, even consumers. Yet criminals always manage to find the path of least resistance for stealing credit and debit card information. So why are credit and debit card numbers so readily available for the taking? In other words, why are credit card numbers still moving through the ether?

I've asked this repeatedly over the years. It came up again recently when First Data Corp. and the National Retail Federation released results of research regarding data security and fraud prevention practices of small to midsize merchants - those with less than $100,000 in annual sales. Among the findings: most merchants (85 percent) care about keeping customer card and payment data secure, yet 60 percent don't understand what a data breach would cost them.

Although two-thirds of surveyed merchants said they were aware of the Payment Card Industry (PCI) Data Security Standard (DSS), fewer than half had completed the self-assessment process the standard requires. Perhaps even more troubling, 42 percent of respondents were unaware of the annual self-assessment requirement.

Many merchants are clueless

The First Data-NRF survey also suggests confusion over who pays what when card numbers are compromised at the merchant level. For example, 60 percent of merchants surveyed didn't know they can be fined for every card that has to be canceled and reissued if they are found to be the source of a breach.

I need not tell anyone reading this that fraud can be costly. The Ponemon Institute, renowned for its work analyzing fraud trends, estimated the average cost to U.S. merchants coping with data breaches is $204 for each customer record breached, or about $6.7 million per breach in 2009. Then there's the problem of diminishing customer trust.

Trust is crucial to the payment process, so when payment card data is compromised, cardholders, understandably, grow uneasy. Ponemon found firms that had experienced data breaches lost an average of 3.9 percent of customers whose records had been compromised. Data breach-related customer churn rates were put at 5 percent for financial services firms.

Meanwhile, the First Data-NRF survey revealed that more than 4 percent of retailers with less than $100,000 in annual sales have been victimized by some type of fraud: physical thefts, tampering with terminals, computer viruses or malware, and misappropriation of card data were the top frauds named. Employee misuse or theft of credit and debit card information accounted for 17 percent of incidents reported by the survey group.

Four percent may not seem like a big deal until you consider there are at least 24.6 million businesses in the United States with less than $100,000 in sales, according to the federal government. That suggests 1 million small merchant businesses were victims of fraud last year, and roughly 170,000 of those cases involved misuse or outright theft of credit or debit card data.

So why do merchants have card data? As a consumer, I don't like the notion that every merchant who accepts my credit or debit card has that information stowed away in a database and that these merchants may not be aware of this. That's why I try when shopping online to use only sites that indicate they don't hold onto customer card data or sites that provide anonymity through payment aggregators like PayPal Inc. and Google Checkout.

Online merchants are fighting back

Fraud represents a huge exposure to merchants and banks alike. Yet efforts to contain card fraud seem to be more successful with online than with brick-and-mortar establishments. Consider, for example, that in 2008, online merchants lost a total of $4 billion to payment fraud, or about 1.4 percent of online revenues, according to CyberSource Corp. And by last year, fraud losses had fallen to just 0.9 percent of revenues at online merchants, or about $2.7 billion.

Containing online fraud hasn't been easy or cheap. "Typically, one-third or more of merchants report spending 0.5 percent or more of their online revenues to manage fraud," stated the CyberSource 12th Annual Online Fraud Report. And the money seems well spent. "Much progress has been made in the last few years in reducing fraud losses while increasing valid order acceptance," CyberSource reported.

The same can't be said for brick-and-mortar establishments. From my vantage on the sidelines, it seems the best way to secure card data is to make sure merchants can never touch it. This can be done through end-to-end encryption or Europay/MasterCard/Visa- (EMV) compliant chip cards and readers. But that requires money for new POS devices, or modifications, and folks on the front lines say that isn't happening.

I don't get it. A few hundred dollars for an encrypted terminal or a $50 upgrade to EMV is chump change compared with the cost to a merchant of being compromised.

Wal-Mart Stores Inc. has invested in EMV-compliant terminals, but it hasn't yet implemented the necessary software. Many experts have suggested that once Wal-Mart makes the switch, every other retailer will do the same. I'm not convinced. Even if Wal-Mart is able to sway millions of smaller retailers the switch to EMV isn't going to happen overnight.

It's not a stretch. In 2003 Congress passed the Check 21 Act instructing the Fed to get paper out of the check system as soon as possible, and the Fed responded by requiring all financial institutions to accept electronic check presentments. It worked like a charm. When was the last time you saw a cancelled paper check?

If the Fed forces issuers to move to chip cards, retailers will have to make the necessary terminal changes. And then there will be one less card system vulnerability for fraudsters to pursue.